Appl.No. 10/688,026 

Amdt. dated September 5, 2007 

Reply to Office Action of March 9, 2007 



PATENT 



Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings of claims in the application: 
Listing of Claims: 

1 1 . (Currently amended) A policy setting support tool for creating, in a computer 

2 system equipped with an access control unit that controls access to computer-managed resources 

3 based on policies, said policies, said policy setting support tool comprising: 

4 an first information database arranged by the kind of subject containing sample 

5 policies prepared as standard or recommended policies, an access log holding a history of the 

6 normal behavior of the subject, and installation information including the path to the subject 

7 installed in said computer system; 

8 aa second information database arranged by the kind of object containing 

9 association information representing the subjects that are most frequently used to access k- the 

10 obiect; 

11 an access monitoring unit for monitoring the behavior of the subject and recording 

12 it in said access log; 

13 a differential detection unit for collating said installation information with said 

14 sample policy and detecting the differences between them ; 

15 a policy creation unit for creating a draft policy from based on said sample policy, 

16 said association information, and said differences detected by said differential detection unit; and 

17 a user interface unit for presenting said draft policy to the user, revising said draft 

1 8 policy as directed by the user, and saving the revised policy as the final policy. 

1 2. (Original) The policy setting support tool of claim 1, further comprising: 

2 a unit for creating a draft policy from one or more of said sample policy, said 

3 association information, and said access log, in accordance with the directions given by the user 

4 through said user interface unit, and 
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5 a unit for setting up a policy by accepting requests for revising said draft policy 

6 and saving the revised policy. 

1 3. (Currently amended) A policy setting support tool for maintaining, in a 

2 computer system equipped with an access control unit that controls access to computer-managed 

3 resources based on policies, said policies, said policy setting support tool comprising: 

4 an information database or a set of information database containing most up-to- 

5 date information regarding the subjects and objects of access; 

6 a differential detection unit for collating the most up-to-date information 

7 regarding the subject and object of the access retrieved from said information database or said set 

8 of information database with the policies that arc already set up, and detecting the items that 

9 need to be revised; 

10 a policy creation unit for creating a draft policy based on the result of detection 

1 1 produced by said differential detection unit; and 

12 a user interface unit for presenting said draft policy to the user for visual 

13 confirmation and revising said draft policy as directed by the user. 

1 4. (Currently amended) The policy setting support tool of claim 3, wherein said 



2 differential detection unit performs the collation and detection processing at regular intervals or 

3 at the demand of the user, and upon detecting any difference, presents it the d etected difference 

4 to the user through said user interface unit, and further wherein the user of said policy setting 

5 support tool visually checks said difference presented to the user, determines whether the policy 

6 should be revised as presented, revises it if and as necessary through said user interface unit, and 

7 saves the final policy. 

1 5. (Currently amended) A policy setting support tool for creating, in a computer 

2 system equipped with an access control unit that controls access to computer-managed resources 

3 based on policies, said - pe - l i e - ies - , - said policy setting support tool comprising: 
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4 an information database holding, for each object of access, association 

5 information en representin g the subjects that are mest-&e€p*etrily used as a unit of access to it the 

6 object , and 

7 a unit for creating a policy from the association information held in said 

8 association information database . 

1 6. (Currently amended) The policy setting support tool of claim 5, further 

2 comprising: 

3 a subject-specifying unit for specifying unit of access to the object according to its 

4 purpose, and 

5 a unit for creating said policy while designating the program specified by said 

6 subject-specifying unit as the subject that is permitted to access multiple kinds of objects that are 

7 included m - h - • t ii -> r information 

1 7. (Currently amended) The policy setting support tool of claim 5, wherein said 



2 computer system includes a collection of identifications of the subjects equipped with an object- 

3 sharing handling unit for sharing objects that are included in the association information among 

4 multiple subjects and a collection of object-sharing information listing the types of object that 

5 can be accessed by each subject, said policy setting support tool further comprising a unit for 

6 creating a policy that permits all or some of the types of access from a subject registered in said 

7 collection of object- sharing information to objects available to said subject. 

1 8. (Currently amended) The policy setting support tool of claim 5, further 

2 comprising a unit for being notified by said access control unit of any access attempts violating 

3 said policy, for notifying the user of said computer system administering objects to be accessed 

4 about said access attempts with reason for violating the policy , and for carrying out a process 

5 based on a judgment made by said user in response to the notification, wherein: 

6 said judgment made by said user is a choice between thereafter permitting all of 

7 said access attempts violating said policy, permitting said access attempt only this time, and 

8 prohibiting all of said access attempts violating said policy; 



Page 4 of 9 



Appl. No. 10/688,026 PATENT 



Amdt. dated September 5, 2007 
Reply to Office Action of March 9, 2007 

9 in case said judgment made by said user is to thereafter permit all of said access 

10 attempts violating said policy, said process is to revise said policy so as to make said access 

1 1 attempts legitimate and to notify said access control unit of the legitimacy of said access 

12 attempts; 

13 in case said judgment made by said user is to permit said access attempt only this 

14 time, said process is to notify said access control unit of the legitimacy of said access attempt, 

15 without revising said policy; and 

16 in case said judgment made by said user is to prohibit all of said access attempts 

17 violating said policy, said process is to notify said access control unit of the illegitimacy of said 

1 8 access attempts, without revising said policy. 

1 9. (Original) The policy setting support tool of claim 5, further comprising a unit 

2 for being notified by said access control unit of any access attempts to an object not registered in 

3 the collection of said policies coming from a subject associated with said object, for notifying the 

4 user of said computer system about said access attempts, and for carrying out a process based on 

5 a judgment made by said user in response to the notification, wherein: 

6 said judgment made by said user is a choice between permitting and prohibiting 

7 said access attempt made to said object not registered in the collection of said policies coming 

8 from a subject associated with said object; 

9 in case said judgment made by said user is to permit said access attempt, said 

10 process is to revise said policy so as to make said access attempt legitimate and to notify said 

1 1 access control unit of the legitimacy of said access attempt; and 

12 in case said judgment made by said user is to prohibit said access attempt, said 

13 process is to notify said access control unit of the illegitimacy of said access attempt, without 

14 revising said policy. 

1 10. (Original) The policy setting support tool of claim 5, further comprising a 

2 unit for being notified by said access control unit of any access attempts coming from a subject 

3 which only partially matches the collection of said policies, for notifying the user of said 
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4 computer system about said access attempts, and for carrying out a process based on a judgment 

5 made by said user in response to the notification, wherein: 

6 said judgment made by said user is a choice between permitting and prohibiting 

7 said access attempt made by said subject; 

8 in case said judgment made by said user is to permit said access attempt, said 

9 process is to revise said policy so as to make said access attempt legitimate and to notify said 

10 access control unit of the legitimacy of said access attempt; and 

1 1 in case said judgment made by said user is to prohibit said access attempt, said 

12 process is to notify said access control unit of the illegitimacy of said access attempt, without 

13 revising said policy. 
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